engine/src/main/resources/policy.json
{
"http": [ // 策略文件包名,默认存在5种,解析时分别放入对应集合
{
"name": "TOMCAT", //hook点名称
"className": "javax/servlet/http/HttpServlet",//hook点类名
"method": "service", //hook点方法名
"desc": "(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)V", //hook点方法描述
"state": 1, //hook点启用状态 1:启用,0:关闭
"enter": 1, //hook点是否hook方法进入前 1:启用,0:关闭
"exit": 1 //hook点是否在hook方法进入前 1:启用,0:关闭
}
//...
/*
* 其他的一些参数
* from:污染源的来源,P1:第一个参数,P2:第二个参数,R:返回值,O:对象本身
* to :污染的去向,P1:第一个参数,P2:第二个参数,R:返回值,O:对象本身
* inter:hook点是否为接口,接口hook点会hook所有接口类
* exclude:排除hook的接口类的无需hook的类
* condition:针对过滤阶段,在结果中展示过滤的条件
*/
}{
"requestData": {
"url": "http://localhost:8080/xss/spel",
"method": "GET",
"headers": {
"host": "localhost:8080",
"connection": "keep-alive",
"sec-ch-ua": "\"Microsoft Edge\";v=\"117\", \"Not;A=Brand\";v=\"8\", \"Chromium\";v=\"117\"",
"sec-ch-ua-mobile": "?0",
"sec-ch-ua-platform": "\"Windows\"",
"upgrade-insecure-requests": "1",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.31",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"sec-fetch-site": "same-origin",
"sec-fetch-mode": "navigate",
"sec-fetch-user": "?1",
"sec-fetch-dest": "document",
"referer": "http://localhost:8080/login",
"accept-encoding": "gzip, deflate, br",
"accept-language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
"cookie": "Idea-ab6a4df1=4c076393-572b-496d-8a9a-86114d08791c; JSESSIONID=621D8B55C5B3A4F482D5D16068CE1843; XSRF-TOKEN=4fffa51c-868c-461c-8f9a-1449b916db57; remember-me=YWRtaW46MTY5NjUyMzg2NTU3ODoyMGFhMDExOGNkODM2YjZlM2ZmMzA5YmQxYmJlNDlkYg"
}
},
"responseData": {
"headers": {
"Connection": "close",
"Content-Length": "484",
"Content-Language": "zh-CN",
"Date": "Thu, 21 Sep 2023 16:37:45 GMT",
"Content-Type": "text/html;charset=ISO-8859-1"
}
},
"findingDataList": [
{
"flowData": [
{
"invokeId": 1,
"className": "org/springframework/web/method/support/HandlerMethodArgumentResolverComposite",
"method": "resolveArgument",
"desc": "(Lorg/springframework/core/MethodParameter;Lorg/springframework/web/method/support/ModelAndViewContainer;Lorg/springframework/web/context/request/NativeWebRequest;Lorg/springframework/web/bind/support/WebDataBinderFactory;)Ljava/lang/Object;",
"taintValueType": "java.lang.String",
"type": "SOURCE",
"fromValue": "T(java.lang.Runtime).getRuntime().exec(\"whoami\")",
"toValue": "T(java.lang.Runtime).getRuntime().exec(\"whoami\")",
"sanitizer": false
},
{
"invokeId": 2,
"className": "org/springframework/expression/common/TemplateAwareExpressionParser",
"method": "parseExpression",
"desc": "(Ljava/lang/String;Lorg/springframework/expression/ParserContext;)Lorg/springframework/expression/Expression;",
"taintValueType": "java.lang.String",
"type": "SINK",
"fromValue": "T(java.lang.Runtime).getRuntime().exec(\"whoami\")",
"vulnType": "Spring_Expression_injection",
"sanitizer": false
}
],
"vulnerableType": "Spring_Expression_injection"
}
]
}